💾 Archived View for mirrors.apple2.org.za › archive › www.textfiles.com › apple › CRACKING › kracksp… captured on 2023-01-29 at 11:42:53.

View Raw

More Information

-=-=-=-=-=-=-






     BOTH BECAUSE MR. KRAC-MAN WAS
GENEROUS ENOUGH TO SEND ME AN ORIGINAL
OF THE PROGRAM, AND BECAUSE THE
ORIGINAL PUCKMAN WAS THE FIRST REAL
PROTECTED DISK I EVER BROKE, IT WAS FUN
TO GET MY HANDS ON THE NEW "SUPER
PUCKMAN", OR KAMEARI. IT TURNED OUT TO
BE NOT QUITE AS HARD TO BREAK AS THE
FIRST ONE, BUT IT PROVIDED SOME
INTERESTING CHALLENGES.

     IF YOU CATCH THE PROGRAM AT THE
RIGHT POINT, IT'S SMALL ENOUGH TO FIT
IN A NORMAL DOS BFILE, SO WE WON'T GET
TO GO THROUGH THE THEORY AND PRACTICE
OF PROGRAM PACKING ON THIS ONE. THE
SEQUENCING USED TO LOAD THE GAME AND
ACCESS THE DISK LATER IS A LITTLE
UNUSUAL, AND WOULD HAVE BEEN TOUGHER IF
THEY HADN'T MADE A FEW MISTAKES.

     A FIRST-STAGE BOOT TRACE REVEALS
THE FIRST INTERESTING TRICK--THE
CONTENTS OF $814-8FF ARE EXCLUSIVE-ORED
WITH THE ADDRESS LOW BYTE AND STUFFED
INTO PAGE ONE WITH SOME CUTE CODE:

   0801-  LDX $26
   0803-  TXS
   0804-  DEC $27
   0806-  LDA ($26),Y
   0808-  EOR $26
   080A-  TSX
   080B-  PHA
   080C-  DEC $26
   080E-  CPX #$14
   0810-  BNE $806
   0812-  RTS

NOW, THIS IS NOT BAD FOR THE FIRST PART
OF A PROTECTION SCHEME, BECAUSE IT
REQUIRES A REASONABLE KNOWLEDGE OF THE
DOS BOOT PROCESS AS WELL AS 6502
STACK/PAGE ONE USAGE. THE TRICKS ARE:

1. YOU HAVE TO KNOW (OR GUESS) THAT $26
   CONTAINS 0 AND $27 CONTAINS 9 AFTER
   THE FIRST STAGE BOOT,
2. YOU HAVE TO UNDERSTAND HOW THE
   INDEXED, INDIRECT LOAD WORKS AT
   $806,
3. YOU NEED AN UNDERSTANDING OF THE TSX
   AND TXS INSTRUCTIONS, AND
4. YOU NEED TO INTERPRET THE FINAL RTS
   CORRECTLY.

(IF YOU KNOW ALL THESE, SKIP THIS
EXPLANATION AND GO ON TO THE MEAT OF
THE PROTECTION SCHEME BELOW).

    IN THE ORDER LISTED ABOVE, LOCATION
$26 CONTAINS 0 FROM THE BOOT ROM AT
LOCATION $C652, WHERE THE ACCUMULATOR
WAS STORED THERE AFTER CALLING THE
"WAIT" ROUTINE AT $FCA8 (ACC=0 ON EXIT
FROM "WAIT"). LOCATION $27 IS THE HIGH
BYTE OF THE TWO-BYTE STORAGE POINTER,
AND IT IS INCREMENTED FROM $08 TO $09
IN CASE THERE'S MORE THAN ONE SECTOR TO
LOAD IN ON THE FIRST STAGE BOOT. LDA
($26),Y MEANS LOOK AT THE LOCATION
POINTED TO BY $26 AND $27, ADD THE
CONTENTS OF THE Y-REGISTER TO IT, AND
LOAD THE ACCUMULATOR WITH THE CONTENTS
OF THAT LOCATION: IF $26=32, $27=08,
AND THE Y-REG=17, THE ADDRESS IS
$832+$17, OR $849.  NEXT, AS THOSE OF
YOU WHO STAYED AWAKE THROUGH THE
DESCRIPTION OF THE STACK AND STACK
POINTER IN THE ARCADE MACHINE FILE WILL
RECALL, THE TSX AND TXS INSTRUCTIONS
REFER TO TRANSFERRING A BYTE BETWEEN
THE ->STACK POINTER<- AND THE
X-REGISTER, NOT BETWEEN THE STACK AND
THE REGISTER.

THE FIRST BYTE FETCHED FROM $26 THROUGH
THE X-REG IS USED TO INITIALIZE THE
STACK POINTER AT $00, MEANING THAT
THE NEXT BYTE PUSHED ON THE STACK WILL
BE PLACED IN LOCATION $100. SINCE THE
STACK POINTER IS A NINE BIT HARDWARE
REGISTER WITH THE MOST SIGNIFICANT BIT
SET, IT WILL ALWAYS CONTAIN A VALUE
BETWEEN $100 AND $1FF. IF YOU 'PUSH'
(PHA) ANOTHER BYTE ONTO THE STACK, IT
GOES NOT INTO $FF, BUT INTO $1FF.
SUCCESSIVE BYTES GO INTO $1FE, $1FD,
ETC. THIS IS KNOWN AS "STACK
WRAPAROUND", AND WAS USED BY IDSI IN
THEIR 'JUGGLER' PROTECTION, AMONG
OTHERS. AFTER THE FIRST TIME THROUGH,
EACH BYTE FROM $8FF DOWN TO $814 IS
EXCLUSIVE-ORED WITH THE ADDRESS LOW
BYTE ($FF-$14), AND PUSHED ON THE STACK
IN THE CORRESPONDING LOCATION FROM $1FF
TO $114.  EACH TIME THROUGH, THE STACK
POINTER IS LOADED INTO THE X-REGISTER
TO COMPARE IT WITH #$14 TO FIND OUT IF
ENOUGH BYTES HAVE BEEN TRANSFERRED.
WHEN $14 IS FOUND, THEY DO AN 'RTS'.
THIS TAKES THE TWO BYTES ABOVE THE
STACK POINTER, INCREMENTS THE LOW BYTE,
AND PLACES THEM INTO THE PROGRAM
COUNTER. THE PROGRAM CONTINUES TO RUN
AT THE NEW LOCATION (A VARIATION OF
"JUMPING THROUGH THE STACK").

     THE NEW STARTING LOCATION IS $116
(IT MAY SEEM A LITTLE STRANGE TO
EXECUTE CODE OUT OF WHAT IS NORMALLY
THE STACK PAGE, BUT THERE'S NOTHING
ILLEGAL ABOUT IT.  APPLESOFT, IN FACT,
HAS A SHORT SUBROUTINE CALLED 'CHRGET'
AT $B1-C8 IN ZERO PAGE!). BRIEFLY, THE
PROGRAM RUNS A CHECKSUM ON $120-1FF
TO MAKE SURE THOSE NASTY KRACKISTS
HAVEN'T CHANGED ANYTHING, THEN CLEARS
ALL OF MEMORY FROM $800-B7FF. AFTER
SETTING UP THE SCREEN TO VIEW HIRES
PAGE TWO (SO YOU CAN'T SEE THE READ
ROUTINE LOADING IN ACROSS THE TEXT
SCREEN MEMORY), TRACK 0 OF THE DISK IS
SEARCHED FOR THE BYTE SEQUENCE "DD AD
DA". ASTUTE READERS OF THIS COLUMN WILL
RECALL THAT THIS IS THE OLD SIRIUS
TRADEMARK, AND JUST THE BEGINNING OF
THE RIP-OFF OF SIRIUS PROTECTION
TECHNIQUES USED BY THE PUBLISHER
(APPARENTLY, IT'S ALL RIGHT TO
PLAGIARIZE CODE FROM A COMPETITOR'S
PROTECTION SCHEME, BUT NOT TO MAKE
BACKUP COPIES OF SOFTWARE PROTECTED
WITH THE STOLEN CODE!). THE REAL LOADER
PROGRAM IS LOADED INTO $400-7FF
(REMEMBER CYCLOD AND FRIENDS?), AND
AFTER CHECKING FOR A SINGLE EPILOG BYTE
OF $EE ON THE TRACK, WE DO A CHECKSUM
ON ZERO PAGE AND JUMP TO $400 WITH THE
CHECKSUM BYTE IN THE ACCUMULATOR. THE
OLD "4+4" NIBBLIZING FROM SIRIUS IS
USED, AND THE PROGRAM IS CONTAINED IN A
SINGLE RECORD WHICH IS $800 NIBBLES
LONG AND FOLLOWS SECTOR 0, WHICH IS IN
NORMAL DOS FORMAT, ON TRACK 0 (THE NICE
THINGS ABOUT 4+4 NIBBLIZING ARE THAT
INDIVIDUAL BYTES CAN BE LOCATED AND
CHANGED, AS DESCRIBED IN THE 'WAY OUT'
FILE, AND THE NUMBER OF NIBBLES IS
ALWAYS EXACTLY EQUAL TO TWICE THE
NUMBER OF BYTES IN THE RECORD).

     AT $400, THE CHECKSUM OF ZERO PAGE
IS REPEATED AND COMPARED (THEY ONLY
NEED TO BE THE SAME), AND THERE IS A
BUNCH OF LANGUAGE CARD DEPROTECTION
AND CHECKING OF THE RESET AND NMI
VECTORS. IF ANY OF THE CHECKS FAIL, AN
ERROR MESSAGE IS PRINTED AND THE
ILLEGAL OPCODE $12 IS EXECUTED TO CAUSE
THE SYSTEM TO HANG. TRUE TO THE SIRIUS
HERITAGE, THE LOADER THEN FILLS UP
MEMORY BY READING TRACKS 1-D (TWELVE
PAGES EACH) INTO $0800-A3FF, USING AN
ADDRESS MARKER OF DD AD DA AND THE $EE
EPILOG BYTE. AFTER JUMPING TO $612, THE
MAIN SCREEN IS MOVED FROM $8000-9FFF TO
$4000-5FFF, AND THE MAIN PROGRAM IS
ENTERED AT $800. SOURCE CODE FOR THE
READER IS SHOWN BELOW:

           ORG $0579
           STA $05     ;DESTINATION
           PHA         ;HIGH BYTE
           LDY H03FE   ;NUMBER OF
           STY $06     ;PAGES TO READ
           LDY #$00    ;CLEAR DEST'N
           STY $04     ;LOW BYTE.
           LDX H03FF
     H0588 LDA HC08C,X ;BEGIN TO SEARCH
           BPL H0588   ;FOR THE 'DD AD
     H058D CMP #$DD    ;DA' SEQUENCE
           BNE H0588
     H0591 LDA HC08C,X
           BPL H0591
           CMP #$AD
           BNE H058D
     H059A LDA HC08C,X
           BPL H059A
           CMP #$DA
           BNE H058D   ;AFTER HEADER,
     H05A3 LDA HC08C,X ;GET THE FIRST
           BPL H05A3   ;NIBBLE, SET THE
           SEC         ;CARRY, ROTATE
           ROL         ;LEFT, AND STORE
           STA $0F     ;IT IN $0F
     H05AC LDA HC08C,X ;GET THE SECOND
           BPL H05AC   ;NIBBLE: AND IT
           AND $0F     ;WITH THE FIRST
           STA ($04),Y ;STORE COMPLETE
           INY         ;BYTE AND GO ON
           BNE H05A3   ;TO THE NEXT.
           INC $05     ;DEST'N ADDRESS
           DEC $06     ;PAGE COUNTER
           BNE H05A3
     H05BE LDA HC08C,X ;CHECK FOR
           BPL H05BE   ;EPILOG BYTE
           CMP #$EE
           BNE H0578
           PLA
           RTS



     AT THIS POINT, ALL THE PROGRAM
RESIDES IN $0000-8000, SO IT'S A GOOD
PLACE TO INTERRUPT AND SAVE IT. IT
SEEMS STRANGE THAT, WITH ALL THE OTHER
SIRIUS-TYPE PROTECTION, THERE'S NO
CHECKSUM ON THE LOADER, SO WE CAN GO IN
AND CHANGE BYTES ON A COPY OF THE DISK.
IT'S EASY TO COPY THE DISK BY USING
NIBBLES AWAY WITH AN ADDRESS MARKER OF
DD AD DA FOR TRACKS 0-E, BUT YOU CAN
ACTUALLY GET BY WITH ONLY COPYING TRACK
0 ONTO A SEPARATE DISK (NA OR LOCKSMITH
WILL BOTH COPY IT WITHOUT PARMS, SINCE
THERE IS A STANDARD DOS 3.3 SECTOR ON
IT). THERE IS NO DISK ERROR HANDLING,
SO A DISK WITH ONLY TRACK ZERO ON IT
JUST SITS AND SPINS, ALLOWING YOU TO
REMOVE IT AND INSERT THE ORIGINAL TO
LOAD IN TRACKS 1-D. AS IN DAYS OF OLD,
READ IN TRACK ZERO USING THE TRACK
EDITOR FROM NIBBLES AWAY, THEN TYPE 'Z'
TO MAKE IT ANALYZE THE TRACK. SET THE
DISPLAY TO THE POINTER PAGE WITH
'G6800', THEN SEARCH FOR THE STRING "AA
EE AA AA AE AA", WHICH IS "4C 00 08" OR
'JMP $0800' IN 4+4 NIBBLEZE. CHANGE
THIS TO "AE EE AE FB FF FF", WHICH
MEANS 'JMP $FF59', OR "AE EE EE EF FF
FE" WHICH IS 'JMP $FECD' FOR USE WITH A
KRAKROM (THE RIGHT ONE TO USE HERE IS
KRAKROM4, SINCE $2000-3FFF CONTAINS
PROGRAM CODE AND $4000-5FFF HAS ONLY A
HI-RES PICTURE). WRITE THE ALTERED
TRACK TO A BLANK DISK WITH THE 'W'
COMMAND.

     BOOT THE NEW DISK, AND WHEN IT
SPINS, INSERT THE ORIGINAL. AFTER THE
NORMAL LOAD, THE BANNER WILL BE
DISPLAYED FOR ABOUT 5 SECONDS BEFORE
YOUR MODIFICATION AT $66E REDIRECTS THE
PROGRAM INTO THE MONITOR. ASSUMING THAT
YOU USED A KRAKROM, THE ENTIRE PROGRAM
IS NOW CONTAINED IN $900-7FFF AND CAN
BE SAVED AS A BFILE AFTER BOOTING A
SLAVE DISKETTE.

     MODIFICATIONS ARE EASY NOW, AND
THIS IS ONE SET OF 'CLEANUP' ACTIVITIES
THAT WILL BRING THE PROGRAM INTO
CONDITION TO BRUN:

1. BOOT A SLAVE DISK, THEN MOVE PAGE 8
BACK FROM $4800-48FF.
2. MOVE THE STORED ZERO PAGE MEMORY
FROM $4000-40FF TO $8000-80FF.
3. WRITE A MEMORY MOVE ROUTINE AT $8050
WHICH WILL RESTORE ZERO PAGE TO $0-FF
(SEE BELOW). DON'T FORGET TO SET UP
HIRES PAGE 2 AND CLEAR THE KEYBOARD
STROBE.
4. REPLACE THE PICTURE IN $4000-5FFF
WITH ONE CONTAINING YOUR OWN
ADVERTISING (YOU CAN RESET THE ORIGINAL
AFTER THE BOOT AND SAVE THE PICTURE AS
A BINARY FILE FOR MODIFICATION).
5. PUT '4C 50 80' OR 'JMP 8050' AT $7FD
TO START THE PROGRAM.
6. BSAVE KAMEARI,A$7FD,L$7880.

           ORG $8050
           LDY #$00
     H8052 LDA H8000,Y ;RETURN ZERO
           STA H0000,Y ;PAGE TO $0-FF
           INY
           BNE H8052
           LDX #$60    ;SET UP STACK
           TXS         ;POINTER AND
           LDA TXTCLR  ;GRAPHICS
           LDA HISCR
           LDA MIXCLR
           LDA HIRES
           LDA STROBE
           LDA #$80    ;LOAD UP THE
           LDX #$60    ;REGISTERS
           LDY #$00
           JMP H0800   ;BEGIN PROGRAM

    TXTCLR = $C050
     HISCR = $C055
    MIXCLR = $C052
     HIRES = $C057
    STROBE = $C010


     THE RESULTING PROGRAM WILL RUN
JUST FINE UNTIL YOU CLEAR A BOARD AND
ADVANCE TO THE NEXT LEVEL. AT THAT
POINT, THE DISK STARTS TO SPIN AND
THE SYSTEM REFUSES TO RESPOND TO ANY
INPUTS. THE REASON IS THE INSTRUCTION
AT $B5C WHICH JUMPS TO $403, WHICH
JUMPS TO $5D5:

           ORG $05D5
           TYA
           PHA
           LDY #$00
           STA H03FE
     H05DC LDX H03FF
           LDA HC089,X;START THE DRIVE
           LDA #$30
           JSR WAIT
           LDA #$7F
           JSR H0579  ;READ THE "TRACK"
           LDX H03FF  ;INTO 7F00-UP
           LDA HC088,X;STOP DRIVE
           LDA #$00
           TAY
     H05F5 EOR H7F00,Y ;CHECKSUM 7F00-
           INY         ;7FFF
           BNE H05F5
           CMP #$44
           BNE H05DC
           JSR H7F00   ;DO SUBROUTINE
           LDY #$00
     H0604 CLC
           ADC #$45    ;AND WIPE OUT
           STA H7F00,Y ;THE CODE SO
           INY         ;IT MUST BE READ
           BPL H0604   ;IN EACH TIME
           PLA
           TAY
           JMP H0CE8


THIS ROUTINE LOADS THE SINGLE PAGE
CONTAINED ON TRACK E INTO $7F00-7FFF,
EXECUTES THE SUBROUTINE AT $7F00, AND
MANGLES THE CODE IN PAGE $7F FOR GOOD
MEASURE. BY LOADING THE CODE IN ONCE
AND NOP'ING THE MANGLE ROUTINE, YOU CAN
AVOID THE UNNECESSARY DISK ACCESS AND
HAVE A 122-SECTOR KAMEARI PROGRAM TO
USE AS YOU SEE FIT. CHANGE $B5C FROM
'4C 03 04' TO '4C 80 1A', AND PUT THIS
SHORT SUBSTITUTE ROUTINE AT $1A80:

           ORG $1A80
           TYA
           PHA
           JSR H7F00
           PLA
           TAY
           JMP H0CE8


     KAMEARI IS A DECENT ENOUGH PACMAN,
BUT IT LACKS THE "PAUSE" CONTROL WITH
THE ESCAPE KEY THAT'S BECOME STANDARD
IN GAMES FROM THE U.S.A. YOU CAN ADD
ONE BY CHANGING LOCATIONS $1717-1719 TO
'4C 40 14', AND ADDING THIS SHORT
ROUTINE AT $1440:

           ORG $1440
           CMP #$9B   ;WAS IT 'ESC'?
           BEQ H144B
           CMP #$CB   ;NO, CHECK FOR 'K
           BNE H145A  ;NOTHING, EXIT
           JMP H175D  ;IT WAS K, ->175D
     H144B LDA STROBE ;IT WAS ESC, CLR
     H144E LDA KEY    ;THE STROBE AND
           BPL H144E  ;WAIT FOR ANOTHER
           CMP #$9B   ;'ESC' TO BE HIT
           BNE H144E
           LDA STROBE ;MUST CLEAR HERE!
     H145A RTS

     H175D = $175D
    STROBE = $C010
       KEY = $C000


     IT'S A PLEASANT BIT OF NOSTALGIA
TO SEE SOMEONE USING THE OLD TECHNIQUES
WITH A NEW TWIST, AND IT PROVIDES US
A CHANCE TO REVIEW SOME OF THE KRACKING
APPROACHES THAT USED TO BE
"STATE-OF-THE-ART". SEE YOU IN A "WEEK"
OR SO WITH THAT PROMISED ARTICLE FROM
THE BASICS OF KRACKING SERIES.